Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 12 Nov 2003 23:43:41 +0100
From:      Alex de Kruijff <>
To:        "Gorm J. Siiger" <>
Subject:   Re: ipfw FWD, NAT and routing
Message-ID:  <>
In-Reply-To: <20031111093609.GI94551@SonnIT.DK>
References:  <20031111093609.GI94551@SonnIT.DK>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Tue, Nov 11, 2003 at 10:36:09AM +0100, Gorm J. Siiger wrote:
> Hi
> I'm experimenting with a dual ISP setup using NAT, as eacy ISP has provided
> me with a subnet of official IP adresses.
> Network setup:
> --------	--------
> | ISP1 |	| ISP2 |
> --------	--------
>    |               |
>    |    --------   |
>    -----|  FW  |----
>         --------
>            | 
>            |
>         --------
> 	|Server|
> 	--------
> ISP1 LAN   :
> ISP2 LAN   :
> Server LAN :
> Server IP on ISP1:
> Server IP on LAN:
> Server IP on ISP2:
> Server IP on LAN:
> The default gateway for the FW box is ISP1
> I can connect to the whole world via ISP1 from the server with source IP
> but when I try to connect to a host via ISP2 from source
> the TCP connection is very slow, and there is a lot of retransmissions.
> If I change the FW's default gateway to ISP2 it works like a charm.
> Any suggestions on how to fix this problem.

I don't understand what you wan't to achieve, rigth now. Do you want
ISP2 to be used only when the clients open the IP in the 21/29 range?

Adding to /etc/rc.conf to set the routes up
route_isp2="-net ISP2_GATEWAY"

If you only have one server that uses two IP's then forget about using
natd. Natd is for sharing a IP adress with multiple computers. 

> /usr/local/etc/natd.conf
>  use_sockets
>  unregistered_only yes
>  alias_address
>  redirect_address
>  redirect_address

Read the section about alias_address of the manual natd. This tell you
way your having problems.

If you do need natd, because you have server behing you gateway, then
you need to have one running on if_isp1 and one on if_isp2 with unique
configuration files. You need two write your own scripts that do this
and place then in /etc/local/etc/rc.d/, since this can not be done from

> /etc/rc.firewall
>  ${fwcmd} add 400 divert natd all from any to any via ${isp0if}
>  ${fwcmd} add 405 divert natd all from any to any via ${isp1if}
>  ${fwcmd} add 505 fwd ip from to any

Please read the section about forward of the manual ipfw. You seem to
have a wrong idee about what to put afther the fwd action.
isn't a valid adress.

If you need a specilised firewall then I would advice against modifing
rc.firewall and use another configfile instead. The reason behing it is
that this file could be overriden if you update you OS. You can do this
by adding this to rc.conf:


This file sould contain something like:

add   100 skipto 10000 ip from any to any via if_isp1
add   200 skipto 20000 ip from any to any via if_isp2
add   300 skipto 30000 ip from any to any via if_local
add   400 allow ip from any to any via lo0
add   500 deny ip from any to any

# Now the firewall is still simple. But if your needs grow the rules
# grow in number. Splitting this up early cuts the number of rules
# pakkets have to go thoug with out the need to do so.

add 10100 divert natd1 ip from any to any
add 19999 allow ip from any to any

add 20100 divert natd2 ip from any to any
add 29999 allow ip from any to any

add 30100 fwd ISP2_address from to any
add 39999 allow ip from any to any


Articles based on solutions that I use:

Want to link to this message? Use this URL: <>